Hacking and attacking automated homes

Do you have an automated home system, a 'smart' house? At Black Hat USA 2013 and Def Con 21, there will be several presentations about attacking the automated house, including automated homes using the Z-Wave wireless protocol.

If you added a home automation system to create your version of a "smart" house, it could give you access from anywhere in the world to remotely control your lights, door locks, house temperature, electric appliances, water valves, alarm system, garage door, the ability to open and close your shades and blinds, or even to turn on music and crank up the volume. While that might seem pretty sweet, it also can be pretty vulnerable. If you use the Z-Wave wireless protocol for home automation then you might prepare to have your warm, fuzzy, happiness bubble burst; there will be several presentations about attacking the automated house at the upcoming Las Vegas hackers' conferences Black Hat USA 2013 and Def Con 21.

Home automation devices are easy to spot with Shodan, a search engine for hackers, as pointed out by its creator John Matherly. And the home automation market forecast is predicted "to exceed $5.5 billion in 2016." Despite the technology having been available for over a decade, and many of these automation systems being extremely vulnerable, having a "smart house" has become very trendy.

Exploiting houses with home automation may not be low-hanging fruit for malicious hackers, but with its increasing popularity and expanding product lines, we will see it gaining more attention from hackers who realize how insecure many of these systems actually are. For example, CEDIA IT Task force member Bjorn Jensen said, "Today, I could scan for open ports on the Web used by a known control system, find them, get in and wreak havoc on somebody's home. I could turn off lights, mess with HVAC systems, blow speakers, unlock doors, disarm alarm systems and worse."

The Z-wave wireless protocol is particularly popular in regards to home automation; according to the Z-Wave facts, there are "over 700 interoperable products available, 12 million Z-Wave products worldwide." They are "supported by over 160 manufacturers and service providers throughout the world," and can be "found in thousands of hotels, cruise ships, and vacation rentals; including 65,000 devices in the flagship Wynn Hotel in Las Vegas, NV."

Yet at Def Con 19 in 2011, Rob Simon and Dave Kennedy showed off how to hack home and business automation over the power lines; they said that "Zwave power-over-broadband technology supports AES encryption," but Kennedy explained that "It's possible to sniff those encryption keys when initializing the devices and inject packets." In fact, they added "The one device they found that was using it, implemented the encryption incorrectly - the key exchange was done in the clear so an attacker could intercept the keys and decrypt all of the communication." There has otherwise been "almost no public security research done on the Z-Wave protocol."

Home automation systems provide a centralized control and monitoring function for heating, ventilation and air conditioning (HVAC), lighting and physical security systems. The central control panel and various household devices such as security sensors and alarm systems are connected with each other to form a mesh network over wireless or wired communication links and act as a "smart home". As you arrive home, the system can automatically open the garage door, unlock the front door and disable the alarm, light the downstairs, and turn on the TV.

Among other things, the hacking Z-Wave synopsis adds, "Zigbee and Z-wave wireless communication protocols are the most common used RF technology in home automation systems...Z-wave is a proprietary wireless protocol that works in the Industrial, Scientific and Medical radio band (ISM). It transmits on the 868.42 MHz (Europe) and 908.42MHz (United States) frequencies designed for low-bandwidth data communications in embedded devices such as security sensors, alarms and home automation control panels.... Z-wave chips have 128-bit AES crypto engines, which are used by access control systems, such as door locks, for authenticated packet encryption. An open source implementation of the Z-wave protocol stack, openzwave, is available but it does not support the encryption part as of yet. Our talk will show how the Z-Wave protocol can be subjected to attacks."

A growing trend in electronics is to have them integrate with your home network in order to provide potentially useful features like automatic updates or to extend the usefulness of existing technologies such as door locks you can open and close from anywhere in the world. What this means for us as security professionals or even just as people living in a world of network-connected devices is that being compromised poses greater risk than before.

Once upon a time, a compromise only meant your data was out of your control. Today, it can enable control over the physical world resulting in discomfort, covert audio/video surveillance, physical access or even personal harm. If your door lock or space heater are compromised, you're going to have a very bad day. This talk will discuss the potential risks posed by network-attached devices and even demonstrate new attacks against products on the market today.

"Let's get physical: Breaking home security systems and bypassing buildings controls" will also be presented at Black Hat by Drew Porter and Stephen Smith. It is described as:

36 million home & office security systems reside in the U.S., and they are all vulnerable. This is not your grandpa's talk on physical security; this talk is about bypassing home and office digital physical security systems, from simple door sensors to intercepting signals and even the keypad before it can alert the authorities. All the methods presented are for covert entry and leave no physical sign of entry or compromise. If you are interested in bettering your skills as a pen tester or just want to know how break into an office like a Hollywood spy this is the talk for you. Come join us to see live demos of what the security companies never want you to see.

Smart homes are both exciting and terrifying, and will increasingly be so after the hacking and attacking automated home talks. Until we know more about how to protect ourselves from "home automation hacker bots," CEPro advised not to use the default username and password, not to leave ports open or use port forwarding, and to use “VPN systems whenever possible, because data in-between is encrypted and there are no open ports for hackers to exploit.”